trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

bug(sbom): Trivy only checks parents from the current result when plotting the dependency graph

Open DmitriyLewen opened this issue 9 months ago • 1 comments

Description

There are cases when one package type relates to another package type (This is usually found in SBOM files). e.g. (see #8419 for full example):

    {
      "SPDXID": "SPDXRef-airflow-gnrtd556",
      ...
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceLocator": "pkg:bitnami/[email protected]?arch=amd64\u0026distro=photon-5",
          "referenceType": "purl"
        }
      ],
      ...
    },
    {
      "SPDXID": "SPDXRef-Package-gnrtd486",
      ...
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceLocator": "pkg:pypi/[email protected]",
          "referenceType": "purl"
        }
      ],
     ...
    },
    {
      "relatedSpdxElement": "SPDXRef-Package-gnrtd486",
      "relationshipType": "CONTAINS",
      "spdxElementId": "SPDXRef-airflow-gnrtd556"
    }

We check parents (to bind package to parent) only from one result: https://github.com/aquasecurity/trivy/blob/85cca8c07affee4ded5c232efb45b05dacf22242/pkg/sbom/io/encode.go#L189-L190

So in this case we don't create these relationships. We relate packages to root component:

    {
      "ref": "6310c971-7edd-453d-a4f0-b2131e5d468d", // Application for bitnami package
      "dependsOn": [
        "pkg:bitnami/[email protected]?arch=amd64&distro=photon-5"
      ]
    },
    {
      "ref": "pkg:oci/airflow@sha256%3A445400e36e168d2186330fce04d5171dda12876a4326110ba26c3a8f016d6bb9",
      "dependsOn": [
        "6310c971-7edd-453d-a4f0-b2131e5d468d",
        "pkg:pypi/[email protected]"
      ]
    },
    {
      "ref": "pkg:pypi/[email protected]",
      "dependsOn": []
    }

Solution

~~We need to find parents from all results.~~

Discussed in https://github.com/aquasecurity/trivy/discussions/8419

DmitriyLewen avatar Mar 10 '25 08:03 DmitriyLewen

We need to find parents from all results.

I thought about this solution today. It won't help us

Possible cases where this method will be wrong. e.g.

graph LR;
  binA(go/binA)
  pkgA
  pkgB1(pkgB)

  binA-->pkgA
  pkgA-->pkgB1

  binB(go/binB)
  pkgB2(pkgB)

  binB-->pkgB2

belongToParent function should bind pkgB to go/binB, but:

  • current logic - when we parse go/binB - we don't find parents for pkgB, because this Result doesn't have parent for this package.
  • new logic (when we find parents from all results) - we will find parents from pkgA, so we will not bind pkgB to go/binB.

So perhaps we need to think about translating relationships from scanned SBOM into result SBOM.

DmitriyLewen avatar Mar 11 '25 04:03 DmitriyLewen